Microsoft Account – Bring Your Own Identity

When you start a new job, there’s only one you. You don’t get a new identity just because you started at a new company. You have the same Social Security number, you have the same fingerprints, same birthdate, same home town. You get a collection of credentials that give you access to company resources, but you don’t really get a new “identity”.

In fact, pretty much the only time you get a completely new identity is if you enter the Federal Witness Protection Program.

What does happen is, you go in to a new job, and you tell them who you are, you provide your actual identity cards/passport to them, and they established a pseudo-identity for you within the organization.

For some reason, along the way, it became normal to have your corporate identity be who you are. When we look at Active Directory (AD), and any other LDAP based directory over last decade or so, a lot of their growth is been around trying to make that the single identity that you use within the company, and have it even be federated out when you need to connect to external resources outside of the organization.
But again, when you leave that company, you take your identity with you. The email address, the AD access, the server access, the application access, the database access – it was all part of your role in the company, and ceases to be, the day you leave.

Last year when Microsoft announced Windows RT, a lot of us… well… kind of freaked out, because Windows RT didn’t include active directory membership, let alone any ability to manage the device through Group Policy (GP). After over 12 years, Microsoft was saying “no… no… no… you don’t have to use AD to manage this machine. In fact, it can’t even join AD“. It was Windows 9X all over again in terms of centralized management.

What’s most fascinating to me about Windows RT though, is that your identity, when you log on to that machine, is a Microsoft account; the thing we used to call Passport, Live ID, etc. Microsoft has made your personal Microsoft Account the central hub of everything you do now – from Windows, to SkyDrive, Outlook.com, Office, and the Windows Store – because the device is a personal device, which could possibly be used with work resources. Most importantly though, this account is yours. Your employer has no control over the account. Regrettably, that includes a lack of manageability for such things as password complexity, or how you handle data that crosses from company systems over the threshold of your device and out to the unmanaged SkyDrive service – or any cloud storage service.

A blog post I ran across a few weeks ago about “BYOI” caught my attention. That’s bring your own identity, for those of you keeping score of the acronyms at home. Microsoft hasn’t stated anything of the sort, but I have to look
at what’s in Windows RT, and wonder if BYOI isn’t indeed part of a bigger trend.

In many ways BYOI reflects the whole BYOD or COPE, or whatever we want to call it… the idea that IT doesn’t own or manage devices any longer, users do. And just as you never would’ve brought a home computer into your company and have it join AD then, why would you do that today? As I alluded to almost a year and a half ago in my post where I stated that hypervisors on phones were a bad idea, it’s not about managing devices anymore. At best, it’s about managing applications – and even more about managing access to data from within applications. Lose the device? Who cares. Brick it. Lose the application? Who cares – you didn’t lose the credentials. Lost the credentials? Nuke them and provide new ones to the user. We’ve lived in this world of device dictatorship not because it was the best way to create productive users, but because Windows was created as an “anything goes, all users are admin” world, with a common filesystem shared promiscuously by any code that can run on the system. We’re moving towards a world where data, not devices, are the hub – and identity, not devices, are the key that unlock access to that data.

The BYOI post that I mentioned earlier didn’t really talk about this aspect, it was kind of a different tangent – but my point is what if it doesn’t matter what set of credentials you use to log on to a device? Technologies like exchange ActiveSync and other mobile device management technologies give IT the ability to nuke a device from orbit if they want to. It’s not that AD Is dead, it’s just that Microsoft understands that AD isn’t an active part of users’ personal machines (those they personally acquired).

An iPad or iPhone never asks for credentials to log on to the device, but of course it never really establishes your identity either (there are as many as 1 users on any iOS device – they’re sharing a single identity across the OS – for better or worse). Instead, in iOS it really becomes the applications that hold your identity and authenticate you to assets of the company (or Apple, or Netflix, etc). An even better aspect of this is the fact that these applications then usually don’t hold much application state. What they do is allow authentication and state to be managed and secured by the application instead of by the operating system (just like Windows Store applications and many well-managed IT applications do). All iOS owns is the management and security of which applications are allowed to be installed and run on the device, and the secure storage of data. It also owns destruction of the operating system and all of the data on the device if the device is lost or compromised and the pass code is entered incorrectly or the device is forcibly wiped through Exchange or other device management software.

In a somewhat fascinating turn of events, even Office 2013/Office 365 do the same. While you can store data locally, your Microsoft Account or Office 365 account can be different than your AD account, and are used to license the software to you, and provide shared storage in the cloud (yes, an Office 365 account can be tied back to AD – but the point is that Office, not Windows, is providing that authentication gateway). Identity is moving up the stack, from an OS-level service to an application-level service, where you can just as easily bring your own identity – which can, but doesn’t have to be, a single directory used across a device for everything.

1 comment

Orgs have a *little* control over passwords; they can turn off picture password, for example. But yes, with information centric security in the org and BitLocker on RT, why should the org care about my account or my password? people-centric management is what Microsoft has been calling it since last MMS.